Predictive malware scanning of internet data

US 7,096,500 B2
Filed: 12/21/2001
Issued: 08/22/2006
Est. Priority Date: 12/21/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product stored on a computer-readable medium for controlling a computer to scan data accessible via an internet link for malware, said computer program product comprising:

(i) address identifying code operable to identify within currently held data at least one internet address associated with said currently held data;

(ii) receiving code operable to pre-emptively retrieve, via said internet link, an addressed data that would be, but has not yet been, accessed by a user following said at least one internet address, after identifying within said currently held data said at least one internet address associated with said currently held data;

(iii) scanning code operable to pre-emptively scan said addressed data that was pre-emptively retrieved utilizing said internet link for malware; and

(iv) storing code operable to store result data identifying at least addressed data in which malware was not found;

wherein said addressed data is cached after said addressed data has been pre-emptively retrieved and pre-emptively scanned, but before said addressed data has been accessed by said user.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

E-mail messages or computer files are scanned to identify embedded internet addresses. These embedded internet address 18 refer to data that may be retrieved via the internet. This data is pre-emptively retrieved and scanned for malware even though it has not been requested by a user. If the data is found to be malware-free, then a record of this is kept. If a user subsequently seeks to access the data associated with the embedded internet address, then the stored data may be referred to and if the internet address is found and the data associated with that address is unchanged since it was previously scanned, then that data may be supplied to the user without the need to be rescanned.

Citations

28 Claims

1. A computer program product stored on a computer-readable medium for controlling a computer to scan data accessible via an internet link for malware, said computer program product comprising:
- (i) address identifying code operable to identify within currently held data at least one internet address associated with said currently held data;
  
  (ii) receiving code operable to pre-emptively retrieve, via said internet link, an addressed data that would be, but has not yet been, accessed by a user following said at least one internet address, after identifying within said currently held data said at least one internet address associated with said currently held data;
  
  (iii) scanning code operable to pre-emptively scan said addressed data that was pre-emptively retrieved utilizing said internet link for malware; and
  
  (iv) storing code operable to store result data identifying at least addressed data in which malware was not found;
  
  wherein said addressed data is cached after said addressed data has been pre-emptively retrieved and pre-emptively scanned, but before said addressed data has been accessed by said user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A computer program product as claimed in claim 1, wherein said address identifying code is operable to search within said currently held data for string data having a format matching a pointer to an internet address.
  - 3. A computer program product as claimed in claim 1, wherein said currently held data includes received e-mail messages.
  - 4. A computer program product as claimed in claim 1, wherein said scanning code is operable to seek to detect within said addressed data one or more of:
    - computer Viruses;
      
      worms;
      
      Trojans;
      
      banned computer programs;
      
      banned words;
      
      or banned images.
  - 5. A computer program product as claimed in claim 1, wherein said computer is a firewall computer via which internet truffle is passed to a local computer network.
  - 6. A computer program product as claimed in claim 1, wherein if malware is detected within said addressed data, ten one or more malware found actions are triggered.
  - 7. A computer program product as claimed in claim 6, wherein said malware found actions include removing said at least one internet address from said currently held data.
  - 8. A computer program product as claimed in claim 1, wherein said malware found actions including at least one of:
    - (i) preventing access to said currently held data;
      
      (ii) removing said at least one internet address from said currently held data;
      
      (iii) preventing access to said addressed data;
      
      (iv) removing said malware from said addressed data to generate clean addressed data and supplying said clean addressed data in place of said addressed data;
      
      (v) blocking internet access by a computer detected to be seeking to access said at least one internet address.
  - 9. A computer program product as claimed in claim 1, wherein said currently held data is an e-mail and said internet address is an internet link embedded in said e-mail.
  - 10. A computer program product as claimed in claim 1, wherein said currently held data is a file and said internet address is an internet link embedded in said file.
  - 11. A computer program product as claimed in claim 1, wherein addressed data determined to contain malware via said scan is cleaned and said clean addressed data is stored locally for access via said internet address.
  - 12. A computer program product as claimed in claim 1, wherein access to said addressed data is allowed if said result data associated with said addressed data identifies said addressed data as not containing malware and if said addressed data has not changed since it was last scanned.
  - 13. A computer program product as claimed in claim 1, wherein storing said result data identifying at least addressed data in which malware was not found includes storing said result data in a database with an associated date of last scan and at least one of a file size and a checksum associated with said addressed data in which malware was not found.
  - 14. A computer program product as claimed in claim 1, wherein addressed data in which malware was found is cleaned and said clean addressed data is stored locally for access via an updated internet address that replaces said internet address.

15. A method of scanning data accessible via an internet link for malware, said method comprising:
- (i) identifying within currently held data at least one internet address associated with said currently held data;
  
  (ii) after identifying within said currently held data said at least one internet address associated with said currently held data, pre-emptively retrieving, via said internet link, an addressed data that would be, but has not yet been, accessed by a user following said at least one internet address;
  
  (iii) pre-emptively scanning said addressed data that was pre-emptively retrieved utilizing said internet link for malware; and
  
  (iv) storing result data identifying at least addressed data in which malware was not found;
  
  wherein said addressed data is cached after said addressed data has been pre-emptively retrieved and pre-emptively scanned, but before said addressed data has been accessed by said user.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. A method as claimed in claim 15, wherein said identifying includes searching within said currently held data for string data having a format matching a pointer to an internet address.
  - 17. A method as claimed in claim 15, wherein said currently held data includes received e-mail messages.
  - 18. A method as claimed in claim 15, wherein said scanning seeks to detect within said addressed data one or mare of:
    - computer viruses;
      
      worms;
      
      Trojans;
      
      banned computer programs;
      
      banned words;
      
      or banned images.
  - 19. A method as claimed in claim 15, wherein said method is performed by a firewall computer via which internet traffic is passed to a local computer network.
  - 20. A method as claimed in claim 15, wherein if malware is detected within said addressed data, then one or more malware found actions are triggered.
  - 21. A method as claimed in claim 15, wherein said malware found actions including at least one of:
    - (i) preventing access to said currently held data;
      
      (ii) removing said at least one internet address from said currently held data;
      
      (iii) preventing access to said addressed data;
      
      (iv) removing said malware from said addressed data to generate clean addressed data and supplying said clean addressed data in place of said addressed data;
      
      (v) blocking internet access by a computer detected to be seeking to access said at least one internet address.

22. Apparatus for scanning data accessible via an internet link for malware, said apparatus comprising:
- (i) address identifying logic operable to identify within currently held data at least one internet address associated with said currently held data;
  
  (ii) retrieving logic operable to pre-emptively retrieve via said internet link addressed data that would be, but has not yet been, accessed by a user following said at least one internet address, after identifying within said currently held data said at least one internet address associated with said currently held data;
  
  (iii) scanning logic operable to pre-emptively scan said addressed data that was pre-emptively retrieved utilizing said internet link for malware; and
  
  (iv) storing logic operable to store result data identifying at least addressed data in which malware was not found;
  
  wherein said addressed data is cached after said addressed data has been pre-emptively retrieved and pre-emptively scanned, but before said addressed data has been accessed by said user.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. Apparatus as claimed in claim 22, wherein said address identifying logic is operable to search within said currently held data for string data having a format matching a pointer to an internet address.
  - 24. Apparatus as claimed in claim 22, wherein said currently held data includes received e-mail messages.
  - 25. Apparatus as claimed in claim 22, wherein said scanning logic is operable to seek to detect within said addressed data one or more of:
    - computer viruses;
      
      worms;
      
      Trojans;
      
      banned computer programs;
      
      banned words;
      
      or banned images.
  - 26. Apparatus as claimed in claim 22, wherein said computer is a firewall computer via which internet traffic is passed to a local computer network.
  - 27. Apparatus as claimed in claim 22, wherein if malware is detected within said addressed data, then one or more malware found actions are triggered.
  - 28. Apparatus as claimed in claim 22, wherein said malware found actions including at least one of:
    - (i) preventing access to said currently held data;
      
      (ii) removing said at least one internet address from said currently held data;
      
      (iii) preventing access to said addressed data;
      
      (iv) removing said malware from said addressed data to generate clean addressed data and supplying said clean addressed data in place of said addressed data;
      
      (v) blocking internet access by a computer detected to be seeking to access said at least one internet address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cole, Andrew Lewis, Roberts, Guy William Welch, Baulk, Eamonn John
Primary Examiner(s)
Moise, Emmanuel L.
Assistant Examiner(s)
Gelagay, Shewaye

Application Number

US10/024,200
Publication Number

US 20040088570A1
Time in Patent Office

1,705 Days
Field of Search

709/229, 709/206, 709/207, 713/200, 713/188, 726/24
US Class Current

726/24
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

H04L 63/1416 Event detection, e.g. attac...

Predictive malware scanning of internet data

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Predictive malware scanning of internet data

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links